Researcher Tries to Get Ahead of CFAA Changes, Dumps 10M Sanitized Passwords

A dump of 10 million sanitized usernames and passwords was released online, sparking debate over its legality in light of proposed changes to the Computer Fraud and Abuse Act.

The Obama administration’s proposed changes to Computer Fraud and Abuse Act (CFAA) have security researchers on edge. The amendments, spurred on by 2014’s seemingly never-ending stream of data breaches, contain vagaries in their language that threaten legitimate research done in the name of improving the security of ecommerce and communication. Topped off by newer and stricter jail sentences and fines, the effects could be chilling on white hats.

One such good-guy hacker last night took what some are viewing as a rash step when he released upwards of 10 million username-password combinations online. Mark Burnett, a longtime Windows security consultant and author of Perfect Passwords (published in 2005), has been collecting publicly available passwords for 15 years to aid in his research. Burnett said he scours Pastebin and other paste sites, hacking forums and other researchers who work in this discipline, collecting data on stolen passwords in an attempt to learn more about user behavior and improve password security.

“I get emails, once a day, asking for my data and I tell people it’s not stuff that I can give out,” Burnett said this morning. “A lot of people want to do password research and analyze how they’re used. I’ve collected a lot of dumps, but I cannot republish what I’d learned because personal information was contained.”

That, Burnett said, was part of his motivation to release his list of 10 million passwords. Burnett said he spent two months sanitizing the data in preparation for its release. He wrote scripts that eliminate bad data, spam accounts, and personal data such as company names or domain names. Coupled with a lot of manual review through different database queries, Burnett cut the list loose last night. Users will see, Burnett said, two columns of data that include usernames associated with a plaintext password. Email addresses, for example, have the domain portion removed, Burnett said. Keywords such as company names have also been removed, as well as any data that could be linked to specific individuals, he said, adding that he also removed anything that looked like financial information such as credit card numbers or financial account numbers. He said he also removed accounts belonging to government or military sources where possible.

Burnett said he believes most of the passwords are dead, since most of the breaches are old and the users have been notified or forced to change their passwords.

“It shouldn’t be an issue if you’re not committing a crime. Are you commiting a crime if you download data? Is research a crime?”
– Mark Burnett

“The point is to have this data; it’s nothing new or nothing I’ve leaked. It’s information that has been leaked and been out there for years,” Burnett said. “It’s in a format that’s useful. The point is to have a good set of data everyone is working on and working on the same data. That way, there’s consistent analysis.”

That doesn’t mean Burnett is 100 percent sure he won’t get a phone call or a visit from law enforcement. But his password dump, he thinks, is safe from the law as it’s written today. On his personal site, Burnett said his intent is not to defraud or facilitate unauthorized access to computers or aid in the commission of a crime. The fact, he said, is that he believes most of the passwords are dead does not constitute authentication in the eyes of the law because “dead passwords will not allow you to authenticate.”

“It shouldn’t be an issue if you’re not committing a crime,” Burnett said, adding that he’s gotten more traffic to his website overnight than he does in an average month. “Are you committing a crime if you download data? Is research a crime? There is so much vague language in the law, you cannot say.”

If the proposed CFAA amendments are passed, that could change. One change to the act, for example, makes it a crime to knowingly and willfully traffic in any password or similar information; as it currently reads, there would need for there to be an intent to defraud for this type of trafficking to be a crime. Intent to defraud has been removed in the amendment, meaning in theory, that sharing a Netflix password, for example, would be illegal.

The recent sentencing of journalist and alleged Anonymous spokesman Barrett Brown—63 months for linking to data allegedly stolen by Stratfor hacker Jeremy Hammond—was also noted by Burnett in his post, which he said he was compelled to write in the hopes of staving off legal action against him.

“These password dumps happen all the time; I could get 200,000 a day online. It’s nothing new, I’m just re-releasing the data in a format that’s useful to researchers,” Burnett said. “It’s really not useful for hackers. People we should be afraid of already have this data. The whole purpose of this is to see what people can find from the data and help improve security knowledge overall.”

Suggested articles

Hey Alexa, Who Am I Messaging?

Research shows that microphones on digital assistants are sensitive enough to record what someone is typing on a smartphone to steal PINs and other sensitive info.